本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Amazon Identity and Access Management 中的权限 Amazon ParallelCluster
Amazon ParallelCluster 在创建和管理集群时,使用 IAM 权限来控制对资源的访问权限。
要在 Amazon 账户中创建和管理集群, Amazon ParallelCluster 需要两个级别的权限:
-
pcluster用户调用pclusterCLI 命令创建和管理集群所需的权限。 -
集群资源执行集群操作所需的权限。
Amazon ParallelCluster 使用 EC2 实例配置文件和角色来提供集群资源权限。要管理集群资源权限, Amazon ParallelCluster 还需要对 IAM 资源的权限。有关更多信息,请参阅 Amazon ParallelCluster 用于管理 IAM 资源的用户示例策略。
pcluster 用户需要 IAM 权限才能使用 pcluster CLI 创建和管理集群及其资源。这些权限包含在可以添加到用户或角色的 IAM 策略中。有关 IAM 角色的更多信息,请参阅 Amazon Identity and Access Management 用户指南 中的 创建用户角色。
您还可以使用 Amazon ParallelCluster 用于管理 IAM 权限的配置参数。
以下各节包含所需的权限及示例。
要使用示例策略,请将 <REGION><Amazon
ACCOUNT ID>
您可以在上的Amazon ParallelCluster
文档
主题
Amazon ParallelCluster EC2 实例角色
使用默认配置设置创建集群时, Amazon ParallelCluster 使用 EC2 实例配置文件自动创建默认集群 EC2 实例角色,该角色提供创建和管理集群及其资源所需的权限。
使用默认 Amazon ParallelCluster 实例角色的替代方法
您可以使用InstanceRole集群配置设置来代替默认 Amazon ParallelCluster 实例角色,为 EC2 指定自己的现有 IAM 角色。有关更多信息,请参阅 Amazon ParallelCluster 用于管理 IAM 权限的配置参数。通常,您可以指定现有 IAM 角色来完全控制授予给 EC2 的权限。
如果您打算向默认实例角色添加额外的策略,我们建议您使用 AdditionalIamPolicies 配置设置而不是 InstanceProfile 或 InstanceRole 设置来传递其他 IAM 策略。您可以在更新集群时进行更新 AdditionalIamPolicies,但不能在更新集群时更新 InstanceRole。
Amazon ParallelCluster pcluster用户策略示例
以下示例显示了使用 pcluster CLI 创建 Amazon ParallelCluster 和管理其资源所需的用户策略。您可以将策略附加到用户或角色。
主题
基本 Amazon ParallelCluster pcluster 用户策略
以下策略显示了运行 Amazon ParallelCluster pcluster命令所需的权限。
策略中列出的最后一个操作用于验证集群配置中指定的任何密钥。例如, Amazon Secrets Manager 密钥用于配置集DirectoryService成。在这种情况下,只有当 PasswordSecretArn 中存在有效密钥时,才会创建集群。如果省略此操作,则会跳过密钥验证。为了改善您的安全状况,我们建议您通过仅添加集群配置中指定的密钥来缩小此策略声明的范围。
注意
如果现有 Amazon EFS 文件系统是集群中使用的唯一文件系统,则可以将示例 Amazon EFS 策略声明的范围缩小到集群配置文件中 SharedStorage 部分 引用的特定文件系统。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:Describe*" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Read" }, { "Action": [ "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:AttachNetworkInterface", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateFleet", "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:CreateNetworkInterface", "ec2:CreatePlacementGroup", "ec2:CreateSecurityGroup", "ec2:CreateSnapshot", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteLaunchTemplate", "ec2:DeleteNetworkInterface", "ec2:DeletePlacementGroup", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DisassociateAddress", "ec2:ModifyLaunchTemplate", "ec2:ModifyNetworkInterfaceAttribute", "ec2:ModifyVolume", "ec2:ModifyVolumeAttribute", "ec2:ReleaseAddress", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:RunInstances", "ec2:TerminateInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Write" }, { "Action": [ "dynamodb:DescribeTable", "dynamodb:ListTagsOfResource", "dynamodb:CreateTable", "dynamodb:DeleteTable", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:Query", "dynamodb:TagResource" ], "Resource": "arn:aws:dynamodb:*:<Amazon ACCOUNT ID>:table/parallelcluster-*", "Effect": "Allow", "Sid": "DynamoDB" }, { "Action": [ "route53:ChangeResourceRecordSets", "route53:ChangeTagsForResource", "route53:CreateHostedZone", "route53:DeleteHostedZone", "route53:GetChange", "route53:GetHostedZone", "route53:ListResourceRecordSets", "route53:ListQueryLoggingConfigs" ], "Resource": "*", "Effect": "Allow", "Sid": "Route53HostedZones" }, { "Action": [ "cloudformation:*" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "cloudwatch:PutDashboard", "cloudwatch:ListDashboards", "cloudwatch:DeleteDashboards", "cloudwatch:GetDashboard", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms" "cloudwatch:PutCompositeAlarm" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudWatch" }, { "Action": [ "iam:GetRole", "iam:GetRolePolicy", "iam:GetPolicy", "iam:SimulatePrincipalPolicy", "iam:GetInstanceProfile" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:role/*", "arn:aws:iam::<Amazon ACCOUNT ID>:policy/*", "arn:aws:iam::aws:policy/*", "arn:aws:iam::<Amazon ACCOUNT ID>:instance-profile/*" ], "Effect": "Allow", "Sid": "IamRead" }, { "Action": [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:instance-profile/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamInstanceProfile" }, { "Condition": { "StringEqualsIfExists": { "iam:PassedToService": [ "lambda.amazonaws.com", "ec2.amazonaws.com", "spotfleet.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamPassRole" }, { "Action": [ "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunctionConfiguration", "lambda:GetFunction", "lambda:InvokeFunction", "lambda:AddPermission", "lambda:RemovePermission", "lambda:UpdateFunctionConfiguration", "lambda:TagResource", "lambda:ListTags", "lambda:UntagResource" ], "Resource": [ "arn:aws:lambda:*:<Amazon ACCOUNT ID>:function:parallelcluster-*", "arn:aws:lambda:*:<Amazon ACCOUNT ID>:function:pcluster-*" ], "Effect": "Allow", "Sid": "Lambda" }, { "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::parallelcluster-*", "arn:aws:s3:::aws-parallelcluster-*" ], "Effect": "Allow", "Sid": "S3ResourcesBucket" }, { "Action": [ "s3:Get*", "s3:List*" ], "Resource": "arn:aws:s3:::*-aws-parallelcluster*", "Effect": "Allow", "Sid": "S3ParallelClusterReadOnly" }, { "Action": [ "elasticfilesystem:*" ], "Resource": [ "arn:aws:elasticfilesystem:*:<Amazon ACCOUNT ID>:*" ], "Effect": "Allow", "Sid": "EFS" }, { "Action": [ "logs:DeleteLogGroup", "logs:PutRetentionPolicy", "logs:DescribeLogGroups", "logs:CreateLogGroup", "logs:TagResource", "logs:UntagResource", "logs:FilterLogEvents", "logs:GetLogEvents", "logs:CreateExportTask", "logs:DescribeLogStreams", "logs:DescribeExportTasks", "logs:DescribeMetricFilters", "logs:PutMetricFilter", "logs:DeleteMetricFilter" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudWatchLogs" }, { "Action": [ "resource-groups:ListGroupResources" ], "Resource": "*", "Effect": "Allow", "Sid": "ResourceGroupRead" }, { "Sid": "AllowDescribingFileCache", "Effect": "Allow", "Action": [ "fsx:DescribeFileCaches" ], "Resource": "*" }, { "Action": "secretsmanager:DescribeSecret", "Resource": "arn:aws:secretsmanager:<REGION>:<Amazon ACCOUNT ID>:secret:<SECRET NAME>", "Effect": "Allow" } ] }
使用 Amazon Batch
调度器时的其他 Amazon ParallelCluster pcluster 用户策略
如果您需要使用 Amazon Batch 调度程序创建和管理集群,则需要以下附加策略。
{ "Version": "2012-10-17", "Statement": [ { "Condition": { "StringEqualsIfExists": { "iam:PassedToService": [ "ecs-tasks.amazonaws.com", "batch.amazonaws.com", "codebuild.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamPassRole" }, { "Condition": { "StringEquals": { "iam:AWSServiceName": [ "batch.amazonaws.com" ] } }, "Action": [ "iam:CreateServiceLinkedRole", "iam:DeleteServiceLinkedRole" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:role/aws-service-role/batch.amazonaws.com/*" ], "Effect": "Allow" }, { "Action": [ "codebuild:*" ], "Resource": "arn:aws:codebuild:*:<Amazon ACCOUNT ID>:project/pcluster-*", "Effect": "Allow" }, { "Action": [ "ecr:*" ], "Resource": "*", "Effect": "Allow", "Sid": "ECR" }, { "Action": [ "batch:*" ], "Resource": "*", "Effect": "Allow", "Sid": "Batch" }, { "Action": [ "events:*" ], "Resource": "*", "Effect": "Allow", "Sid": "AmazonCloudWatchEvents" }, { "Action": [ "ecs:DescribeContainerInstances", "ecs:ListContainerInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "ECS" } ] }
使用适用于 Lustre 的 Amazon FSx 时的其他 Amazon ParallelCluster pcluster 用户策略
如果您需要使用适用于 Lustre 的 Amazon FSx 来创建和管理集群,则需要以下其他策略。
注意
如果现有 Amazon FSx 文件系统是集群中使用的唯一文件系统,则可以将示例 Amazon FSx 策略声明的范围缩小到集群配置文件中 SharedStorage 部分 引用的特定文件系统。
{ "Version": "2012-10-17", "Statement": [ { "Condition": { "StringEquals": { "iam:AWSServiceName": [ "fsx.amazonaws.com", "s3.data-source.lustre.fsx.amazonaws.com" ] } }, "Action": [ "iam:CreateServiceLinkedRole", "iam:DeleteServiceLinkedRole" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "fsx:*" ], "Resource": [ "arn:aws:fsx:*:<Amazon ACCOUNT ID>:*" ], "Effect": "Allow", "Sid": "FSx" }, { "Action": [ "iam:CreateServiceLinkedRole", "iam:AttachRolePolicy", "iam:PutRolePolicy" ], "Resource": "arn:aws:iam::<Amazon ACCOUNT ID>:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*", "Effect": "Allow" }, { "Action": [ "s3:Get*", "s3:List*", "s3:PutObject" ], "Resource": "arn:aws:s3:::<S3 NAME>", "Effect": "Allow" } ] }
Amazon ParallelCluster 镜像构建pcluster用户政策
打算使用创建自定义 EC2 映像的用户 Amazon ParallelCluster 必须具有以下一组权限。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeImages", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeInstanceTypes", "ec2:DeregisterImage", "ec2:DeleteSnapshot" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2" }, { "Action": [ "iam:CreateInstanceProfile", "iam:AddRoleToInstanceProfile", "iam:GetRole", "iam:GetRolePolicy", "iam:GetInstanceProfile", "iam:RemoveRoleFromInstanceProfile" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:instance-profile/parallelcluster/*", "arn:aws:iam::<Amazon ACCOUNT ID>:instance-profile/ParallelClusterImage*", "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IAM" }, { "Condition": { "StringEquals": { "iam:PassedToService": [ "lambda.amazonaws.com", "ec2.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:instance-profile/parallelcluster/*", "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IAMPassRole" }, { "Action": [ "logs:CreateLogGroup", "logs:TagResource", "logs:UntagResource", "logs:DeleteLogGroup" ], "Resource": [ "arn:aws:logs:*:<Amazon ACCOUNT ID>:log-group:/aws/imagebuilder/ParallelClusterImage-*", "arn:aws:logs:*:<Amazon ACCOUNT ID>:log-group:/aws/lambda/ParallelClusterImage-*" ], "Effect": "Allow", "Sid": "CloudWatch" }, { "Action": [ "cloudformation:DescribeStacks", "cloudformation:CreateStack", "cloudformation:DeleteStack" ], "Resource": [ "arn:aws:cloudformation:*:<Amazon ACCOUNT ID>:stack/*" ], "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "lambda:CreateFunction", "lambda:GetFunction", "lambda:AddPermission", "lambda:RemovePermission", "lambda:DeleteFunction", "lambda:TagResource", "lambda:ListTags", "lambda:UntagResource" ], "Resource": [ "arn:aws:lambda:*:<Amazon ACCOUNT ID>:function:ParallelClusterImage-*" ], "Effect": "Allow", "Sid": "Lambda" }, { "Action": [ "imagebuilder:Get*" ], "Resource": "*", "Effect": "Allow", "Sid": "ImageBuilderGet" }, { "Action": [ "imagebuilder:CreateImage", "imagebuilder:TagResource", "imagebuilder:CreateImageRecipe", "imagebuilder:CreateComponent", "imagebuilder:CreateDistributionConfiguration", "imagebuilder:CreateInfrastructureConfiguration", "imagebuilder:DeleteImage", "imagebuilder:DeleteComponent", "imagebuilder:DeleteImageRecipe", "imagebuilder:DeleteInfrastructureConfiguration", "imagebuilder:DeleteDistributionConfiguration" ], "Resource": [ "arn:aws:imagebuilder:*:<Amazon ACCOUNT ID>:image/parallelclusterimage-*", "arn:aws:imagebuilder:*:<Amazon ACCOUNT ID>:image-recipe/parallelclusterimage-*", "arn:aws:imagebuilder:*:<Amazon ACCOUNT ID>:component/parallelclusterimage-*", "arn:aws:imagebuilder:*:<Amazon ACCOUNT ID>:distribution-configuration/parallelclusterimage-*", "arn:aws:imagebuilder:*:<Amazon ACCOUNT ID>:infrastructure-configuration/parallelclusterimage-*" ], "Effect": "Allow", "Sid": "ImageBuilder" }, { "Action": [ "s3:CreateBucket", "s3:ListBucket", "s3:ListBucketVersions" ], "Resource": [ "arn:aws:s3:::parallelcluster-*" ], "Effect": "Allow", "Sid": "S3Bucket" }, { "Action": [ "sns:GetTopicAttributes", "sns:TagResource", "sns:CreateTopic", "sns:Subscribe", "sns:Publish", "SNS:DeleteTopic", "SNS:Unsubscribe" ], "Resource": [ "arn:aws:sns:*:<Amazon ACCOUNT ID>:ParallelClusterImage-*" ], "Effect": "Allow", "Sid": "SNS" }, { "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetObjectVersion", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource": [ "arn:aws:s3:::parallelcluster-*/*" ], "Effect": "Allow", "Sid": "S3Objects" }, { "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder", "Condition": { "StringLike": { "iam:AWSServiceName": "imagebuilder.amazonaws.com" } } } ] }
Amazon ParallelCluster 用于管理 IAM 资源的用户示例策略
使用 Amazon ParallelCluster 创建集群或自定义 AMI 时,必须提供包含向 Amazon ParallelCluster 组件授予所需权限集的权限的 IAM 策略。在创建集群 Amazon ParallelCluster 或自定义映像时,这些 IAM 资源可以由自动创建,也可以作为输入提供。
您可以使用以下模式通过在配置中使用其他 IAM 策略为 Amazon ParallelCluster 用户提供访问 IAM 资源所需的权限。
特权 IAM 访问模式
在此模式下, Amazon ParallelCluster 会自动创建所有必要的 IAM 资源。这些 IAM 策略的范围已缩小,仅允许访问集群资源。
要启用特权 IAM 访问模式,请向用户角色添加以下策略。
注意
如果您配置 HeadNode/Iam/AdditionalPolicies或 Scheduling//SlurmQueuesIam/AdditionalPolicies参数,则必须向 Amazon ParallelCluster 用户提供为每个其他策略附加和分离角色策略的权限,如以下策略所示。将其他策略 ARN 添加到附加和分离角色策略的条件中。
警告
此模式使用户能够在中拥有 IAM 管理员权限 Amazon Web Services 账户
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:CreateServiceLinkedRole", "iam:DeleteRole", "iam:TagRole" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamRole" }, { "Action": [ "iam:CreateRole" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamCreateRole" }, { "Action": [ "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*", "Effect": "Allow", "Sid": "IamInlinePolicy" }, { "Condition": { "ArnLike": { "iam:PolicyARN": [ "arn:aws:iam::<Amazon ACCOUNT ID>:policy/parallelcluster*", "arn:aws:iam::<Amazon ACCOUNT ID>:policy/parallelcluster/*", "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy", "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore", "arn:aws:iam::aws:policy/AWSBatchFullAccess", "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess", "arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole", "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role", "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy", "arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole", "arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder", "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] } }, "Action": [ "iam:AttachRolePolicy", "iam:DetachRolePolicy" ], "Resource": "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*", "Effect": "Allow", "Sid": "IamPolicy" } ] }
受限的 IAM 访问模式
如果没有向用户授予其他 IAM 策略,则集群或自定义映像构建所需的 IAM 角色需要由管理员手动创建,并作为集群配置的一部分进行传递。
创建集群时,需要使用以下参数:
构建自定义映像时,需要使用以下参数:
-
Build / Iam / InstanceRole | InstanceProfile
作为上面所列参数的一部分传递的 IAM 角色必须以 /parallelcluster/ 路径前缀进行创建。如果无法做到这一点,则需要更新用户策略以便对特定自定义角色授予 iam:PassRole 权限,如以下示例所示。
{ "Condition": { "StringEqualsIfExists": { "iam:PassedToService": [ "ecs-tasks.amazonaws.com", "lambda.amazonaws.com", "ec2.amazonaws.com", "spotfleet.amazonaws.com", "batch.amazonaws.com", "codebuild.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [<list all custom IAM roles>], "Effect": "Allow", "Sid": "IamPassRole" }
警告
目前,此模式不允许管理 Amazon Batch 集群,因为并非所有 IAM 角色都可以在集群配置中传递。
PermissionsBoundary 模式
此模式委托创建绑 Amazon ParallelCluster 定到已配置的 IAM 权限边界的 IAM 角色。有关 IAM 权限边界的更多信息,请参阅 IAM 用户指南 中的 IAM 实体的权限边界。
需要将以下策略添加到用户角色。
在策略中,将 < permissions-boundary-arn > 替换为要作为权限边界强制执行的 IAM 策略 ARN。
警告
如果您配置 HeadNode/Iam/AdditionalPolicies 或 Scheduling/SlurmQueues/Iam/ 参数,则必须向用户授予为每个其他策略附加和分离角色策略的权限,如以下策略所示。将其他策略 ARN 添加到附加和分离角色策略的条件中。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:CreateServiceLinkedRole", "iam:DeleteRole", "iam:TagRole" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamRole" }, { "Condition": { "StringEquals": { "iam:PermissionsBoundary": [<permissions-boundary-arn>] } }, "Action": [ "iam:CreateRole" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamCreateRole" }, { "Condition": { "StringEquals": { "iam:PermissionsBoundary": [<permissions-boundary-arn>] } }, "Action": [ "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*", "Effect": "Allow", "Sid": "IamInlinePolicy" }, { "Condition": { "StringEquals": { "iam:PermissionsBoundary": [<permissions-boundary-arn>] }, "ArnLike": { "iam:PolicyARN": [ "arn:aws:iam::<Amazon ACCOUNT ID>:policy/parallelcluster*", "arn:aws:iam::<Amazon ACCOUNT ID>:policy/parallelcluster/*", "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy", "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore", "arn:aws:iam::aws:policy/AWSBatchFullAccess", "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess", "arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole", "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role", "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy", "arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole", "arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder", "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] } }, "Action": [ "iam:AttachRolePolicy", "iam:DetachRolePolicy" ], "Resource": "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*", "Effect": "Allow", "Sid": "IamPolicy" } ] }
启用此模式后,创建或更新集群时必须在 Iam/PermissionsBoundary 配置参数中指定权限边界 ARN,在构建自定义映像时必须在 Build/Iam/PermissionBoundary 参数中指定权限边界 ARN。
Amazon ParallelCluster 用于管理 IAM 权限的配置参数
Amazon ParallelCluster 公开了一系列配置选项,用于自定义和管理集群中或自定义 AMI 创建过程中使用的 IAM 权限和角色。
集群配置
头节点 IAM 角色
HeadNode / Iam / InstanceRole | InstanceProfile
使用此选项,您可以覆盖分配给集群头节点的默认 IAM 角色。有关更多详细信息,请参阅 InstanceProfile 参考。
以下是当调度器为 Slurm 时作为该角色一部分使用的一组最少策略:
-
arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy托管的 IAM 策略 有关更多信息,请参阅 A mazon 用户指南中的创建用于 CloudWatch 代理的 IAM 角色和 CloudWatch 用户。 -
arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore托管的 IAM 策略。有关更多信息,请参阅 Amazon Systems Manager 用户指南 中的用于 Amazon Systems Manager的Amazon 托管策略。 -
其他 IAM 策略:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::<REGION>-aws-parallelcluster/*", "arn:aws:s3:::dcv-license.<REGION>/*", "arn:aws:s3:::parallelcluster-*-v1-do-not-delete/*" ], "Effect": "Allow" }, { "Action": [ "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:BatchWriteItem", "dynamodb:BatchGetItem" ], "Resource": "arn:aws:dynamodb:<REGION>:<Amazon ACCOUNT ID>:table/parallelcluster-*", "Effect": "Allow" }, { "Condition": { "StringEquals": { "ec2:ResourceTag/parallelcluster:node-type": "Compute" } }, "Action": "ec2:TerminateInstances", "Resource": "*", "Effect": "Allow" }, { "Action": [ "ec2:RunInstances", "ec2:CreateFleet" ] "Resource": "*", "Effect": "Allow" }, { "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*", "arn:aws:iam::<Amazon ACCOUNT ID>:instance-profile/parallelcluster/*" ], "Effect": "Allow" }, { "Action": [ "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeVolumes", "ec2:DescribeInstanceAttribute", "ec2:DescribeCapacityReservations" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ec2:CreateTags", "ec2:AttachVolume" ], "Resource": [ "arn:aws:ec2:<REGION>:<Amazon ACCOUNT ID>:instance/*", "arn:aws:ec2:<REGION>:<Amazon ACCOUNT ID>:volume/*" ], "Effect": "Allow" }, { "Action": [ "cloudformation:DescribeStacks", "cloudformation:DescribeStackResource", "cloudformation:SignalResource" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "route53:ChangeResourceRecordSets" ], "Resource": "*", "Effect": "Allow" }, { "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:<REGION>:<Amazon ACCOUNT ID>:secret:<SECRET_ID>", "Effect": "Allow" } ] }
请注意,如果使用 Scheduling/SlurmQueues/Iam/InstanceRole 来覆盖计算 IAM 角色,则上面报告的头节点策略需要在 iam:PassRole 权限的 Resource 部分中包含此类角色。
以下是当调度器为 Amazon Batch时作为该角色一部分使用的一组最少策略:
-
arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy托管的 IAM 策略。有关更多信息,请参阅 A mazon 用户指南中的创建用于 CloudWatch 代理的 IAM 角色和 CloudWatch 用户。 -
arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore托管的 IAM 策略。有关更多信息,请参阅 Amazon Systems Manager 用户指南 中的用于 Amazon Systems Manager的Amazon 托管策略。 -
其他 IAM 策略:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject", "s3:PutObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::parallelcluster-*-v1-do-not-delete/*" ], "Effect": "Allow" }, { "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::dcv-license.<REGION>/*", "arn:aws:s3:::<REGION>-aws-parallelcluster/*" ], "Effect": "Allow" }, { "Condition": { "StringEquals": { "iam:PassedToService": [ "batch.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*", "arn:aws:iam::<Amazon ACCOUNT ID>:instance-profile/parallelcluster/*" ], "Effect": "Allow" }, "Action": [ "batch:DescribeJobQueues", "batch:DescribeJobs", "batch:ListJobs", "batch:DescribeComputeEnvironments" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "batch:SubmitJob", "batch:TerminateJob", "logs:GetLogEvents", "ecs:ListContainerInstances", "ecs:DescribeContainerInstances", ], "Resource": [ "arn:aws:logs:<REGION>:<Amazon ACCOUNT ID>:log-group:/aws/batch/job:log-stream:PclusterJobDefinition*", "arn:aws:ecs:<REGION>:<Amazon ACCOUNT ID>:container-instance/AWSBatch-PclusterComputeEnviron*", "arn:aws:ecs:<REGION>:<Amazon ACCOUNT ID>:cluster/AWSBatch-Pcluster*", "arn:aws:batch:<REGION>:<Amazon ACCOUNT ID>:job-queue/PclusterJobQueue*", "arn:aws:batch:<REGION>:<Amazon ACCOUNT ID>:job-definition/PclusterJobDefinition*:*", "arn:aws:batch:<REGION>:<Amazon ACCOUNT ID>:job/*" ], "Effect": "Allow" }, { "Action": [ "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeVolumes", "ec2:DescribeInstanceAttribute" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ec2:CreateTags", "ec2:AttachVolume" ], "Resource": [ "arn:aws:ec2:<REGION>:<Amazon ACCOUNT ID>:instance/*", "arn:aws:ec2:<REGION>:<Amazon ACCOUNT ID>:volume/*" ], "Effect": "Allow" }, { "Action": [ "cloudformation:DescribeStackResource", "cloudformation:DescribeStacks", "cloudformation:SignalResource" ], "Resource": "*", "Effect": "Allow" }, { "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:<REGION>:<Amazon ACCOUNT ID>:secret:<SECRET_ID>", "Effect": "Allow" } ] }
Amazon S3 访问权限
HeadNode/Iam/S3Access 或 Scheduling/SlurmQueues/S3Access
在这些配置部分中,您可以在 Amazon ParallelCluster创建与集群的头节点或计算节点关联的 IAM 角色时向这些角色授予其他 Amazon S3 策略来自定义 Amazon S3 访问权限。有关更多信息,请参阅每个配置参数的参考文档。
只有在使用 特权 IAM 访问模式 或 PermissionsBoundary 模式 来配置用户时,才能使用此参数。
其他 IAM 策略
HeadNode/Iam/AdditionalIamPolicies 或 SlurmQueues/Iam/AdditionalIamPolicies
使用此选项将其他托管 IAM 策略附加到与集群的头节点或计算节点关联的 IAM 角色(如果这些角色由创建) Amazon ParallelCluster。
警告
要使用此选项,请确保针对需要附加的 IAM 策略向 Amazon ParallelCluster 用户授予 iam:AttachRolePolicy 和 iam:DetachRolePolicy 权限。
Amazon Lambda 函数角色
Iam / Roles / LambdaFunctionsRole
此选项将覆盖集群创建过程中使用的所有 Amazon Lambda 函数所附加的角色。 Amazon Lambda 需要配置为允许担任该角色的委托人。
注意
如果设置了 DeploymentSettings/LambdaFunctionsVpcConfig,则 LambdaFunctionsRole 必须包括用于设置 VPC 配置的 Amazon Lambda 角色权限。
以下是作为该角色一部分使用的一组最少策略:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "route53:ListResourceRecordSets", "route53:ChangeResourceRecordSets" ], "Resource": "arn:aws:route53:::hostedzone/*", "Effect": "Allow" }, { "Action": ["logs:CreateLogStream", "logs:PutLogEvents"], "Effect": "Allow", "Resource": "arn:aws:logs:<REGION>:<Amazon ACCOUNT ID>:log-group:/aws/lambda/pcluster-*" }, { "Action": "ec2:DescribeInstances", "Effect": "Allow", "Resource": "*" }, { "Action": "ec2:TerminateInstances", "Condition": { "StringEquals": { "ec2:ResourceTag/parallelcluster:node-type": "Compute" } }, "Effect": "Allow", "Resource": "*" }, { "Action": [ "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:ListBucket", "s3:ListBucketVersions" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::parallelcluster-*-v1-do-not-delete", "arn:aws:s3:::parallelcluster-*-v1-do-not-delete/*" ] } ] }
计算节点 IAM 角色
Scheduling / SlurmQueues / Iam / InstanceRole | InstanceProfile
此选项允许覆盖分配给集群计算节点的 IAM 角色。有关更多信息,请参阅 InstanceProfile。
以下是作为该角色一部分使用的一组最少策略:
-
arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy托管的 IAM 策略。有关更多信息,请参阅 A mazon 用户指南中的创建用于 CloudWatch代理的 IAM 角色和 CloudWatch 用户。 -
arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore托管的 IAM 策略。有关更多信息,请参阅 Amazon Systems Manager 用户指南 中的用于 Amazon Systems Manager的Amazon 托管策略。 -
其他 IAM 策略:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "dynamodb:Query", "dynamodb:UpdateItem", "dynamodb:PutItem", "dynamodb:GetItem" ], "Resource": "arn:aws:dynamodb:<REGION>:<Amazon ACCOUNT ID>:table/parallelcluster-*", "Effect": "Allow" }, { "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::<REGION>-aws-parallelcluster/*" ], "Effect": "Allow" }, { "Action": "ec2:DescribeInstanceAttribute", "Resource": "*", "Effect": "Allow" }, { "Action": "cloudformation:DescribeStackResource", "Resource": [ "arn:aws:cloudformation:<REGION>:<AWS ACCOUNT ID>:stack/*/*" ], "Effect" "Allow" } ] }
权限边界
此参数强制 Amazon ParallelCluster 将给定的 IAM 策略作为 a 附加PermissionsBoundary到作为集群部署的一部分创建的所有 IAM 角色。
有关定义此设置后用户所需的策略的列表,请参阅 PermissionsBoundary 模式。
自定义映像配置
EC2 Image Builder 的实例角色
Build / Iam / InstanceRole | InstanceProfile
使用此选项,您可以覆盖分配给 EC2 Image Builder 为创建自定义 AMI 而启动的 EC2 实例的 IAM 角色。
以下是作为该角色一部分使用的一组最少策略:
-
arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore托管的 IAM 策略。有关更多信息,请参阅 Amazon Systems Manager 用户指南 中的用于 Amazon Systems Manager的Amazon 托管策略。 -
arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder托管的 IAM 策略。有关更多信息,请参阅 Image Builder User Guide 中的EC2InstanceProfileForImageBuilderpolicy。 -
其他 IAM 策略:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:CreateTags", "ec2:ModifyImageAttribute" ], "Resource": "arn:aws:ec2:<REGION>::image/*", "Effect": "Allow" } ] }
Amazon Lambda 清理角色
Build / Iam / CleanupLambdaRole
此选项将覆盖自定义映像构建过程中使用的所有 Amazon Lambda 函数所附加的角色。 Amazon Lambda 需要配置为允许担任该角色的委托人。
注意
如果设置了 DeploymentSettings/LambdaFunctionsVpcConfig,则 CleanupLambdaRole 必须包括用于设置 VPC 配置的 Amazon Lambda 角色权限。
以下是作为该角色一部分使用的一组最少策略:
-
arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole托管的 IAM 策略。有关更多信息,请参阅 Amazon Lambda 开发人员指南 中的 Lambda 功能的Amazon 托管策略。 -
其他 IAM 策略:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:DetachRolePolicy", "iam:DeleteRole", "iam:DeleteRolePolicy" ], "Resource": "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*", "Effect": "Allow" }, { "Action": [ "iam:DeleteInstanceProfile", "iam:RemoveRoleFromInstanceProfile" ], "Resource": "arn:aws:iam::<Amazon ACCOUNT ID>:instance-profile/parallelcluster/*", "Effect": "Allow" }, { "Action": "imagebuilder:DeleteInfrastructureConfiguration", "Resource": "arn:aws:imagebuilder:<REGION>:<Amazon ACCOUNT ID>:infrastructure-configuration/parallelclusterimage-*", "Effect": "Allow" }, { "Action": [ "imagebuilder:DeleteComponent" ], "Resource": [ "arn:aws:imagebuilder:<REGION>:<Amazon ACCOUNT ID>:component/parallelclusterimage-*/*" ], "Effect": "Allow" }, { "Action": "imagebuilder:DeleteImageRecipe", "Resource": "arn:aws:imagebuilder:<REGION>:<Amazon ACCOUNT ID>:image-recipe/parallelclusterimage-*/*", "Effect": "Allow" }, { "Action": "imagebuilder:DeleteDistributionConfiguration", "Resource": "arn:aws:imagebuilder:<REGION>:<Amazon ACCOUNT ID>:distribution-configuration/parallelclusterimage-*", "Effect": "Allow" }, { "Action": [ "imagebuilder:DeleteImage", "imagebuilder:GetImage", "imagebuilder:CancelImageCreation" ], "Resource": "arn:aws:imagebuilder:<REGION>:<Amazon ACCOUNT ID>:image/parallelclusterimage-*/*", "Effect": "Allow" }, { "Action": "cloudformation:DeleteStack", "Resource": "arn:aws:cloudformation:<REGION>:<Amazon ACCOUNT ID>:stack/*/*", "Effect": "Allow" }, { "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:<REGION>::image/*", "Effect": "Allow" }, { "Action": "tag:TagResources", "Resource": "*", "Effect": "Allow" }, { "Action": [ "lambda:DeleteFunction", "lambda:RemovePermission" ], "Resource": "arn:aws:lambda:<REGION>:<Amazon ACCOUNT ID>:function:ParallelClusterImage-*", "Effect": "Allow" }, { "Action": "logs:DeleteLogGroup", "Resource": "arn:aws:logs:<REGION>:<Amazon ACCOUNT ID>:log-group:/aws/lambda/ParallelClusterImage-*:*", "Effect": "Allow" }, { "Action": [ "SNS:GetTopicAttributes", "SNS:DeleteTopic", "SNS:GetSubscriptionAttributes", "SNS:Unsubscribe" ], "Resource": "arn:aws:sns:<REGION>:<Amazon ACCOUNT ID>:ParallelClusterImage-*", "Effect": "Allow" } ] }
其他 IAM 策略
Build / Iam / AdditionalIamPolicies
您可以使用此选项将其他托管 IAM 策略附加到与 EC2 Image Builder 用于生成自定义 AMI 的 EC2 实例关联的角色。
警告
要使用此选项,请确保针对需要附加的 IAM 策略向 Amazon ParallelCluster用户授予 iam:AttachRolePolicy 和 iam:DetachRolePolicy 权限。
权限边界
Build / Iam / PermissionsBoundary
此参数强制 Amazon ParallelCluster 将给定的 IAM 策略作为 a 附加PermissionsBoundary到在自定义 AMI 构建过程中创建的所有 IAM 角色。
有关使用此类功能所需的策略列表,请参阅 PermissionsBoundary 模式。